{{- if .Values.rbacManager.deploy }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "crossplane.name" . }}-rbac-manager
  labels:
    app: {{ template "crossplane.name" . }}
    {{- include "crossplane.labels" . | indent 4 }}
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
    - apps
  resources:
    - deployments
  verbs:
    - get
    - list
    - watch
# The RBAC manager creates a series of RBAC roles for each namespace it sees.
# These RBAC roles are controlled (in the owner reference sense) by the namespace.
# The RBAC manager needs permission to set finalizers on Namespaces in order to
# create resources that block their deletion when the
# OwnerReferencesPermissionEnforcement admission controller is enabled.
# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups:
  - ""
  resources:
  - namespaces/finalizers
  verbs:
  - update
- apiGroups:
  - apiextensions.crossplane.io
  resources:
  - compositeresourcedefinitions
  verbs:
  - get
  - list
  - watch
# The RBAC manager creates a series of RBAC cluster roles for each XRD it sees.
# These cluster roles are controlled (in the owner reference sense) by the XRD.
# The RBAC manager needs permission to set finalizers on XRDs in order to
# create resources that block their deletion when the 
# OwnerReferencesPermissionEnforcement admission controller is enabled.
# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups:
  - apiextensions.crossplane.io
  resources:
  - compositeresourcedefinitions/finalizers
  verbs:
  - update
- apiGroups:
  - pkg.crossplane.io
  resources:
  - providerrevisions
  verbs:
  - get
  - list
  - watch
# The RBAC manager creates a series of RBAC cluster roles for each ProviderRevision
# it sees. These cluster roles are controlled (in the owner reference sense) by the
# ProviderRevision. The RBAC manager needs permission to set finalizers on
# ProviderRevisions in order to create resources that block their deletion when the 
# OwnerReferencesPermissionEnforcement admission controller is enabled.
# See https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
- apiGroups:
  - pkg.crossplane.io
  resources:
  - providerrevisions/finalizers
  verbs:
  - update
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  - roles
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  # The RBAC manager may grant access it does not have.
  - escalate
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterroles
  verbs:
  - bind
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - clusterrolebindings
  verbs:
  - "*"
- apiGroups:
  - ""
  - coordination.k8s.io
  resources:
  - configmaps
  - leases
  verbs:
  - get
  - list
  - create
  - update
  - patch
  - watch
  - delete
{{- end}}
